Monday, July 18, 2011

SSH: Public Key Authentication with OpenSSH

SSH using Unix/Linux account’s username and password for authentication by default. Although user name and password were encrypted during authentication session, it still suffer from dictionary attack. The usage of public key authentication in SSH is to cover the loophole.

Public key authentication uses public key cryptography scheme for encryption operation. It perform encryption by using a key pair of private key and public key. Public key cryptography possess very high level of security. The secure levels increase exponentially if using larger key length. As the name implied, public key is known to public and private key should keep by user in secure and safe place. Public key is generated from private key but It’s very computational costly to derive private key from public key.

In SSH, the public key stores in SSH server and SSH client use private key to gain access to the SSH service. Choosing key length of 1024 bits or higher is common practice for SSH service. To know more about the SSH authentication protocol, read: http://www.ietf.org/rfc/rfc4252.txt.

OpenSSH: SSH authentication

OpenSSH is a free version of SSH tools. It was designed for OpenBSD operation system. It has been ported to other operation system including Linux and Windows. It has became the most common SSH tools in the market.

OpenSSH doesn’t come with fancy GUI front end. All tools are available as console program. The most common used tool is “ssh” in Linux or “ssh.exe” in windows. It act as SSH client to access shell account of hos

To use SSH, type

# ssh ssh-server.example.com

Some common parameters are “-l” and “-p” that supply login user name and port number respectively.

Copy id_rsa to any SSH client that want to connect to this server via SSH. Keep in mind that id_rsa is store in OpenSSH file format.

OpenSSH: Deploy private key

The private key generated by OpenSSH may use directly in OpenSSH client both in Windows and Linux. No conversion is needed. Just copy the private key file to ~/.ssh/.folder and configure ~/ssh/config to make it works for public key authentication.

OpenSSH: Disable password authentication

Once the public key authentication scheme is ready to use in real practice, you may consider disable the classic password authentication by changing /etc/sshd_config:in SSH server:

Remember to restart or reload sshd service to enforce changes if the configuration has updated.

Using OpenSSH in Windows

There are some tricks using OpenSSH in Windows. OpenSSH require an environment variable “HOME” to locate the .ssh folder that keep ssh configuration file. A common practice is set HOME to %USERPROFILE% and create a folder .ssh in %USERPROFILE% folder. You may keep the private key file into %HOME%\.ssh folder:

OpenSSH: Configuration file

The configuration for OpenSSH is usually keep in ~/ssh/config. Here is a sample OpenSSH configuration file:

The configuration specify the private key file to use for 2 server and the user name to login if the user name is different to the account’s user name. Server2 even specify the SSH port number to connect to server2.